Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser

D. A. Sigalov; A. V. Razdobarov; A. A. Petukhov

Geodesic

Parcourir par

Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser

D. A. Sigalov ; A. V. Razdobarov ; A. A. Petukhov

Prikladnaâ diskretnaâ matematika, no. 1 (2017), pp. 63-75.

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

In recent years, a significant part of web application functionality moves to client side. Increasing complexity of client-side code leads to a considerable growth in the number of client-side vulnerabilities and even to an emergence of new types of vulnerabilities, among which DOM-based XSS is most well-known. In this paper, we present an approach to detect and validate DOM-based XSS vulnerabilities. Our approach leverages dynamic tracking of data flows on the client side of web application to identify insecure ones (those which lead to vulnerability). An insecure data flow is a flow, in which a critical operation is data-dependent on attacker-controlled data, which is not sanitised properly. Data flows are tracked and classified using taint propagation technique (also known as “taint checking”). Potentially insecure data flows are tested for the presence of exploitable vulnerability by means of fuzzing – enumeration of possible attack vectors, which are passed to a data flow source. Vulnerability is confirmed if an execution of any injected payload is observed. Our approach was implemented on top of Firefox browser, controlled via it's debugger API. The paper discusses and justifies advantages of such implementation. The paper also provides an analysis of related work in the subject field, and comparison with other approaches is made. The proposed approach and its implementation are maintainable and extensible, which is crucial for analyzing applications in constantly evolving environment such as client side web technologies.

Keywords: DOM-based XSS, web application vulnerabilities, dynamic analysis, fuzzing.

@article{PDM_2017_1_a5,
     author = {D. A. Sigalov and A. V. Razdobarov and A. A. Petukhov},
     title = {Detecting {DOM-based} {XSS} vulnerabilities using debug {API} of the modern web-browser},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {63--75},
     publisher = {mathdoc},
     number = {1},
     year = {2017},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2017_1_a5/}
}

TY  - JOUR
AU  - D. A. Sigalov
AU  - A. V. Razdobarov
AU  - A. A. Petukhov
TI  - Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2017
SP  - 63
EP  - 75
IS  - 1
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2017_1_a5/
LA  - ru
ID  - PDM_2017_1_a5
ER  -

%0 Journal Article
%A D. A. Sigalov
%A A. V. Razdobarov
%A A. A. Petukhov
%T Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser
%J Prikladnaâ diskretnaâ matematika
%D 2017
%P 63-75
%N 1
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2017_1_a5/
%G ru
%F PDM_2017_1_a5

D. A. Sigalov; A. V. Razdobarov; A. A. Petukhov. Detecting DOM-based XSS vulnerabilities using debug API of the modern web-browser. Prikladnaâ diskretnaâ matematika, no. 1 (2017), pp. 63-75. http://geodesic.mathdoc.fr/item/PDM_2017_1_a5/

Bibliographie
Cité par

[1] Stefano D. P., Heiderich M., Braun F., DOM XSS Test Cases Wiki Cheatsheet Project, , 2010 https://code.google.com/p/domxsswiki/

[2] Standarty yazyka programmirovaniya ECMAScript, http://www.ecma-international.org/publications/standards/Ecma-262.htm

[3] Schwartz E. J., Avgerinos T., Brumley D., “All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)”, IEEE Symp. Security and Privacy, IEEE, Auckland, 2010, 317–331

[4] Wagner D., “Static analysis and software assurance”, SAS'01, Proc. 8th Intern. Symp. Static Analysis, Springer Verlag, Paris, 2001, 431 | MR

[5] Dokumentatsiya otladochnogo interfeisa Mozilla Debugger API., https://developer.mozilla.org/en-US/docs/Tools/Debugger-API

[6] McLean J., “Security Models”, Encyclopedia of Software Engineering, John Wiley Sons Inc., N.Y., 1994, 1136–1145

[7] Chugh R. et al., “Staged information flow for JavaScript”, ACM Sigplan Notices, 44:6 (2009), 50–52 | DOI

[8] Guha A., Krishnamurthi S., Jim T., “Using static analysis for Ajax intrusion detection”, Proc. 18th Intern. Conf. on World Wide Web, ACM, Madrid, 2009, 561–570

[9] Madsen M., Livshits B., Fanning M., “Practical static analysis of JavaScript applications in the presence of frameworks and libraries”, Proc. 9th Joint Meeting on Foundations of Software Engineering, ACM, St. Petersburg, 2013, 499–509

[10] Feldthaus A. et al., “Efficient construction of approximate call graphs for JavaScript IDE services”, 35th Intern. Conf. Software Engineering (ICSE), IEEE, San Francisco, 2013, 752–761

[11] Dokumentatsiya emulyatora upravlyaemogo veb-obozrevatelya HtmlUnit, , 2016 http://htmlunit.sourceforge.net/

[12] Opisanie Codemagi Burp DOM-XSS Scanner – rasshireniya dlya instrumenta BurpSuite, prednaznachennogo dlya poiska DOMXSS, https://www.codemagi.com/downloads/dom-xss-scanner-checks

[13] Opisanie StaticBurp – rasshireniya dlya instrumenta BurpSuite, prednaznachennogo dlya poiska DOMXSS, http://www.ethicalhack3r.co.uk

[14] Opisanie sredstva poiska DOMXSS DOMinator, https://dominator.mindedsecurity.com/

[15] Just S. et al., “Information flow analysis for JavaScript”, Proc. 1st ACM SIGPLAN Intern. Workshop on Programming Language and Systems Technologies, ACM, Portland, 2011, 9–18

[16] Lekies S., Stock B., Johns M., “25 million flows later: large-scale detection of DOM-based XSS”, Proc. ACM SIGSAC Conf. Computer Communications Security, ACM, Berlin, 2013, 1193–1204

[17] Lekies S., Stock B., Johns M., “Practical blended taint analysis for JavaScript”, Proc. Intern. Symp. Software Testing and Analysis, ACM, Lugano, 2013, 336–346

[18] Xiao W. et al., “Preventing client side XSS with rewrite based dynamic information flow”, Sixth Intern. Symp. Parallel Architectures, Algorithms and Programming (PAAP), IEEE, Pekin, 2014, 238–243

[19] Jang D. et al., “Rewriting-based dynamic information flow for JavaScript”, 17th ACM Conf. Computer and Communications Security, ACM, Chicago, 2010 http://goto.ucsd.edu/~rjhala/papers/rewriting_based_dynamic_information_flow_for_javascript.pdf

[20] Prabawa A., Chin W. N., Titania: Generic Dynamic Information Flow Analysis Framework for JavaScript, , (access date 01.09.2016) http://www.comp.nus.edu.sg/~adi-yoga/Titania/Titania.html

[21] Dokumentatsiya sredstva poiska DOMXSS Ra.2, https://code.google.com/p/ra2-dom-xss-scanner/

[22] Opisanie sredstva poiska DOMXSS JSPrime, http://www.jsprime.org

[23] Guarnieri S. et al., “Saving the world wide web from vulnerable JavaScript”, Proc. Intern. Symp. Software Testing and Analysis, ACM, Toronto, 2011, 177–187

[24] Saxena P. et al., “A symbolic execution framework for JavaScript”, IEEE Symp. Security and Privacy, IEEE, Auckland, 2010, 513–528

[25] Tripp O., Ferrara P., Pistoia M., “Hybrid security analysis of Web JavaScript code via dynamic partial evaluation”, Proc. Intern. Symp. Software Testing and Analysis, ACM, San Jose, 2014, 49–59